The commit at:
http://webcvs.freedesktop.org/xorg/xc/programs/Xserver/hw/xfree86/common/xf86Init.c?r1=1.16&r2=1.17
introduced a couple of bugs. Specifically, the test for geteuid == 0 will never
succeed, and the end result is that -logfile and -modulepath can be specified by
arbitrary local users, leading to DoS (-logfile /lib/libc.so.6), and arbitrary
code execution (-modulepath).
The fix is to change all geteuid == 0 or geteuid != 0 to geteuid() == 0 or
geteuid != 0.
This was only introduced in 6.9/7.0, and does NOT apply to 6.8.x and earlier.
First noticed by Alan Coopersmith.
Coverity ID: 4
The best candidate for unembargo date would seem to be April 6th, 2006, or April
13th, 2006 (if I'm remembering right that things are generally uncloaked on
Thursdays).

> introduced a couple of bugs. Specifically, the test for geteuid == 0 will never
> succeed, and the end result is that -logfile and -modulepath can be specified by
more accurately, never fail.
we would strongly prefer to not wait a month to unembargo this, so we can avoid
shipping FC5 with a local root exploit. who's actually shipping 7.0 in a stable
release?

so, ajax and alan, would an unembargo of friday the 17th give you sufficient
time to get your fixes through the processes?
(alternately, there could be an unembargo of friday the 20th, and rhat could
just take care to not ship before 1400 utc ...)

I could get a preliminary fix out that hadn't passed QA and a security alert
telling people to just chmod 755 Xorg and only start it via gdm/xdm/dtlogin and
not xinit. That's good enough for me to not object loudly.
I would prefer Monday March 20, since the 17th is an official holiday in at
least one country (and since part of our patch test/release team is in Ireland,
they'll be out that day), and an unofficial party day in others, such as the US.
ajax - are you going to release xorg-server-1.0.1 that day too? Should we
bother with an entire monolith release just for this or just publish an
advisory and patch with a note that it will be fixed in an upcoming 6.9.1
release?

For the monolithic tree, an advisory with a patch is enough. This is how
previous advisories were handled.
I've added xorg_security@x.org in the Cc: so everyone gets attention to the
discussion happening on bugzilla.

(In reply to comment #9)
> ajax - are you going to release xorg-server-1.0.1 that day too? Should we
> bother with an entire monolith release just for this or just publish an
> advisory and patch with a note that it will be fixed in an upcoming 6.9.1
> release?
whenever we push this i'll push 1.0.1 simultaneously, with the fix included.